Log Files Slides

Log files: A wealth of forensic evidence
Kevin Powe Integral Technology Solutions
The most comprehensive Oracle applications & technology content under one roof
More info at http://bit.ly/kapowelogs
Forensic process
Log files Case files Tools
The Forensic Process
Step One: Secure The Scene
Operating System Evidence

netstat for network issues top or Windows Task Manager for CPU issues iostat or vmstat for I/O issues
Rolling Log Files
Cause
2-4PM
Symptoms
4-6PM
Step Two: Investigate The Scene
Dont. Search. The. Log. Files.

Error
versus
Warning
Failing versus Failed
Step Three: Gather And Correlate Evidence
Step Four: Build A Hypothesis
1) Secure the scene

2) Investigate the scene 3) Gather and correlate evidence
4) Build a hypothesis
Forensic process
WebLogic Server Domain

AdminServer managedServer1
Java processes
managedServer2
HTTP Access Logs
192.168.5.6 - - [19/Nov/2010:13:34:49 +0800] "POST /AccountServices/ProxyServices/AccountServices HTTP/1.1" 200 29487
192.168.5.6 - - [19/Nov/2010:13:34:49 +0800] "POST /WarehousingServices/ProxyServices/RequestOrderDetails HTTP/1.1" 200 1167
rfc931
Remote host authuser
date
192.168.5.6
[19/Nov/2010:13:34:49 +0800]
request
"POST /WarehousingServices/ProxyServices/RequestOrderDetails HTTP/1.1

status 200 bytes 1167
ELF = Extended Logging Format
Extended Logging Format Fields

Common format fields
date time bytes sc-status
Request fields
cs-method cs-uri cs-uri-stem cs-uri-query
Network fields
c-ip s-ip c-dns s-dns
The Good Stuff

cs-comment time-taken custom
Server log files
####<2/08/2011 12:49:35 AM EST> <Notice> <Server> <brother-eye> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1312210175933> <BEA-002613> <Channel "Default" is now listening on 10.0.2.15:7001 for protocols iiop, t3, ldap, snmp, http.>
####<2/08/2011 12:49:35 AM EST> <Notice> <WebLogicServer> <brother-eye> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1312210175933> <BEA-000331> <Started WebLogic Admin Server "AdminServer" for domain "example1030Domain" running in Development Mode>
Timestamp
Severity
Subsystem
Machine
<2/08/2011 12:49:35 AM EST> <Notice> <WebLogicServer> <brother-eye>

Server Thread ID
<AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'>

User Txn ID Diagn. Time (msecs) Message ID Text
<<WLS Kernel>> <>
<> <1312210175933> <BEA-002613> <Channel "Default" is

Debug flags
HTTP: SSL: JDBC:
weblogic.servlet.DebugHttp default.DebugSSL weblogic.jdbc.sql.DebugJDBCSQL
<4/08/2011 07:47:35 PM EST> <Warning> <netuix> <BEA-423420> <Redirect is executed in begin or refresh action. Redirect url is /console/console.portal?_nfpb=true&_pageLabel=HomePage1.> Loaded index.jsp page Loaded index.jsp page Loaded index.jsp page <4/08/2011 23:20:34 PM EST> <Info> <Health> <brother-eye> <AdminServer> <weblogic.GCMonitor> <<anonymous>> <> <> <1311830434630> <BEA-310002> <86% of the total memory in the server is free>
TO
<4/08/2011 07:53:38 PM EST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING> <4/08/2011 07:53:38 PM EST> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode> <4/08/2011 07:53:49 PM EST> <Notice> <Stdout> <BEA-000000> <Loaded index.jsp page> <4/08/2011 07:53:50 PM EST> <Notice> <Stdout> <BEA-000000> <Loaded index.jsp page> <4/08/2011 07:53:51 PM EST> <Notice> <Stdout> <BEA-000000> <Loaded index.jsp page> <4/08/2011 08:20:34 PM EST> <Info> <Health> <brother-eye> <AdminServer> <weblogic.GCMonitor> <<anonymous>> <> <> <1311830434630> <BEA-310002> <86% of the total memory in the server is free>
Oracle Service Bus tracing

JMS Message Logs
SOA Suite Diagnostic Logs
Forensic process
Case File #1 An Unbalanced Load

Sun Reverse Proxy Load balancer Sun Reverse Proxy
WebLogic Server
WebLogic Server
cat access.log* | awk { print $x } | sort | uniq

(where x = position of the cookie in the log file)
Case File #2 Fear Of Commitment

Oracle Service Bus
Tuxedo
Forensic process
Tools
Editors The Gun vi Querying data find grep sed awk tail Analysis Excel R Splunk
@kapowe kevinpowe kapowe

Log Files Slides

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Log Files Slides

Diunggah oleh

Hak Cipta:

Format Tersedia

Log files: A wealth of forensic evidence

Kevin Powe Integral Technology Solutions

More info at http://bit.ly/kapowelogs

The Forensic Process

Step One: Secure The Scene

Operating System Evidence

Rolling Log Files

Step Two: Investigate The Scene

Dont. Search. The. Log. Files.

Failing versus Failed

Step Three: Gather And Correlate Evidence

Step Four: Build A Hypothesis

1) Secure the scene

WebLogic Server Domain

HTTP Access Logs

192.168.5.6 - - [19/Nov/2010:13:34:49 +0800] "POST /AccountServices/ProxyServices/AccountServices HTTP/1.1" 200 29487

192.168.5.6 - - [19/Nov/2010:13:34:49 +0800] "POST /WarehousingServices/ProxyServices/RequestOrderDetails HTTP/1.1" 200 1167

"POST /WarehousingServices/ProxyServices/RequestOrderDetails HTTP/1.1

ELF = Extended Logging Format

Extended Logging Format Fields

The Good Stuff

Server log files

<2/08/2011 12:49:35 AM EST> <Notice> <WebLogicServer> <brother-eye>

<AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'>

<<WLS Kernel>> <>

<> <1312210175933> <BEA-002613> <Channel "Default" is

HTTP: SSL: JDBC:

weblogic.servlet.DebugHttp default.DebugSSL weblogic.jdbc.sql.DebugJDBCSQL

Oracle Service Bus tracing

JMS Message Logs

SOA Suite Diagnostic Logs

Case File #1 An Unbalanced Load

Sun Reverse Proxy Load balancer Sun Reverse Proxy

cat access.log* | awk { print $x } | sort | uniq

Case File #2 Fear Of Commitment

Oracle Service Bus

@kapowe kevinpowe kapowe

Anda mungkin juga menyukai